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1 Introduction 



We consider "iterative" algorithms for achieving approximate Byzantine consensus in synchronous 
point-to-point communication networks that are modeled by arbitrary directed graphs. The iterative 
approximate Byzantine consensus (IABC) algorithms of interest have the following properties: 

• Initial state of each node is equal to a real-valued input provided to that node. 

• Validity condition: After each iteration of an IABC algorithm, the state of each fault-free node 
must remain in the convex hull of the states of the fault-free nodes at the end of the previous 
iteration^ 

• Convergence condition: For any e > 0, after a sufficiently large number of iterations, the states 
of the fault-free nodes are guaranteed to be within e of each other. 

In this paper, we are interested in parameter-independent algorithms that do not require explicit 
knowledge of the upper bound on the number of faults to be tolerated. In particular, we introduce a 
specific parameter-independent IABC algorithm, named Middle Algorithm. We derive a necessary 
condition on the underlying communication graph under which the Middle algorithm can tolerate 
up to / Byzantine faults. For graphs that satisfy this necessary condition, we show the correctness 
of Middle Algorithm, proving that our necessary condition is tight. 

For a more thorough discussion on related work, please refer to our previous work |3|. 

2 System Model 

Communication model: The system is assumed to be synchronous. The communication network is 
modeled as a simple directed graph GCV, £), where *V = {1, . . . , n} is the set of n nodes, and £ is the 
set of directed edges between the nodes in f V. With a slight abuse of terminology, we will use the 
terms edge and link interchangeably. We assume that n > 2, since the consensus problem for n — 1 
is trivial. Node i can reliably transmit messages to node j if and only if the directed edge (i, j) is in 
£. Each node can send messages to itself as well, however, for convenience, we exclude self -loops 
from set £. That is, (i, i) <$. £ for i e C V. 

For each node i, let Nr be the set of nodes from which i has incoming edges. That is, 
Nr = {/ I 0,0 £ £|- Similarly define N ; + as the set of nodes to which node i has outgoing 
edges. That is, N + = { / 1 (i, j) £ £ }. Nodes in Nr and N + are, respectively, said to be incoming and 
outgoing neighbors of node i. Since we exclude self-loops from £, i £ Nr and i N ; + . However, 
we note again that each node can indeed send messages to itself. 

Failure Model: We consider the Byzantine failure model, with up to / nodes becoming faulty. 
A faulty node may misbehave arbitrarily. Possible misbehavior includes sending incorrect and 
mismatching (or inconsistent) messages to different neighbors. The faulty nodes may potentially 
collaborate with each other. Moreover, the faulty nodes are assumed to have a complete knowledge 
of the execution of the algorithm, including the states of all the nodes, contents of messages the 
other nodes send to each other, the algorithm specification, and the network topology. 

1 See Section[6]for a variation on the validity condition. 
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3 Middle Algorithm 



The Middle algorithm is an iterative approximate Byzantine consensus (IABC) algorithm, and its 
structure is similar to other algorithms studied in prior work tU[2H3). Each node i maintains state 
Vj, with Vj[t] denoting the state of node i at the end of the £-th iteration of the algorithm (t > 0). 
Initial state of node i, Vi[0], is equal to the initial input provided to node i. At the start of the f-th 
iteration (t > 0), the state of node i is V\[t - 1]. The Middle algorithm requires each node i to perform 
the following three steps in iteration t, where t > 0. Note that the faulty nodes may deviate from 
this specification. 

Middle Algorithm 



1. Transmit step: Transmit current state Vi[t - 1] on all outgoing edges. 

2. Receive step: Receive values on all incoming edges. These values form vector r,[f] of size |Nr|. 

When a fault-free node expects to receive a message from a neighbor but does not receive 
the message, the message value is assumed to be equal to some default value. 

3. Update step: 

• Sort the values in r,[t] in an increasing order with ties being broken arbitrarily, and 
use the sorted order of values to form a partition of nodes in Nt into sets £>, M, T as 
follows: (i) set B contains nodes from whom the smallest |JN~|/3J values in the sorted 
r, [£] are received, (ii) set T contains nodes from whom the largest |_|N~|/3J values in the 
sorted r,[f] are received, and (iii) set M contains the remaining nodes from whom the 
values in the "middle" of sorted r,[f] are received. That is, M = NT — B — T. H Thus, 
|M| = |Nr|-2L|Nr|/3J. 

• Let Wj denote the value received from node j € M. For convenience, define Wj = Vj[t - 1] 
to be the value node i "receives" from itself. Observe that if / 6 {i} U M is fault-free, then 
Wj - Vj[t - 1]. 

• Define 

PiM = ^ a i w j (!) 
;'e{j}UM 

where 

1 _ 1 

Ui ~ \M\ + 1 ~ \N7\ - 2L|Nr|/3J + 1 

The "weight" of each term on the right-hand side of <(T]) is fl„ and these weights add to 
1. Also, < a, < 1. 

For future reference, let us define a as: 

a = min a, (2) 



We now define U[t] and [i[t], assuming that T is the set of Byzantine faulty nodes, with the 
nodes in *V — ¥ being fault-free. 

2 For sets X and Y,X-Y contains elements that are in X but not in Y. That is, X - Y = [i \ i e X, i g Y). 
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• U[t] - maxj e ry_f- Vj[t]. U[t] is the largest state among the fault-free nodes at the end of the 
£-th iteration. Since the initial state of each node is equal to its input, U[0] is equal to the 
maximum value of the initial input at the fault-free nodes. 

• p.[t] - mm ie ry_f- Vj[t]. p,[t] is the smallest state among the fault-free nodes at the end of the 
£-th iteration. p[0] is equal to the minimum value of the initial input at the fault-free nodes. 

The Middle algorithm is correct if it satisfies the following conditions in the presence of up to / 
Byzantine faulty nodes: 

• Validity: Vt > 0, p[t] > \i[t - 1] and U[t] < U[t - 1] 

• Convergence: lim^oo U[t] - jj[t] - 

The objective in this paper is to identify the necessary and sufficient conditions for Middle algo- 
rithm to satisfy the above validity and convergence conditions for a given G(1 / , £). 

4 Necessary Condition 

For the Middle algorithm to be correct, the network graph G( r V,£) must satisfy the necessary 
condition proved in this section. We first define relations => and =£> that are used frequently in our 
discussion. 

Definition 1 For non-empty disjoint sets of nodes A and B, 

• A => B iff there exists a node v € B such that 

^^>I (3) 

• A=i> B iff A => B z's not true. 

Theorem 1 Suppose that Middle Algorithm is correct in graph G^V, S) in the presence of up to f Byzantine 
faults. Then, both the following conditions must be true: 

• For every node v € r V, \N~ \ > 3f. 

• Let sets F, L, C, Rform a partitior^ ofV, such that L and R are both non-empty, and \F\ < f. Then, 
either C U R => L, or L U C => R. 

Proof: 



3 Sets Xi r X 2 ,X 3 , ...,X p are said to form a partition of set X provided that (i) Ui<;< ( ,X; = X, and (ii) X, n X ; = O if i j= j. 
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Proof of first condition: The first condition is trivially true when f - 0. Thus, let us now assume 
that / > 1 . Suppose by way of contradiction that there exists a node i such that \Nt \ < 3f. Consider 
two cases in iteration 1: 



• \N- | = 0: Suppose that node i has initial input of X, and all the remaining nodes have input 
x, where x < X. Since node i has no incoming edges, clearly, = X. 

Consider two cases: 

- There exists a node ; ^ i such that (z, j) e £, and the in-degree of node ; is such that the 
value X is not eliminated in the Update step, i.e., \Nj\ < 2: In this case, Vj[l] > x since 
X > x. However, in the event that node i is actually faulty, Vj[l] will not satisfy the 
validity condition, since the initial inputs at all the fault-free nodes are all x (if node i 
were to be faulty). 

- For each node ; ± i, either (z, j) £ £, or (z, ;') e 8 but the value received from node i is 
dropped at node / during the Update step: In this case, all the values that affect the new 
state of node / are x, and Vj[l] = x. It is easy to see that the same scenario will repeat 
in each iteration, violating convergence condition when all the nodes (including z) are 
fault-free (v{ remains at X, and for each node t i, Vj remains at x). 

• \N7\ > 1: Assume that min(f, \N7\) incoming neighbors of node i are faulty, and that all the 
remaining nodes are fault-free. Let F denote the set of faulty nodes. Note that \F\ > 1. 

Let R = *V - {z} - F. Consider the case when (i) each node in R has input x, and (ii) node i 
has input X > x. In the Transmit step of iteration 1, suppose that the faulty nodes in F send 
a sufficiently large value Y (elaborated below) on outgoing links to node i, and send value x 
on outgoing links to nodes in R. This behavior is possible since nodes in F are faulty. Each 
fault-free node ke'V -F sends v k [0] (its input) on all its outgoing links. 

Since \N7\ < 3f, set M at node i in iteration 1 contains at least one value received from a 
faulty incoming neighbor. Then it is easy to see that the faulty nodes can choose Y such that 
Vi[l] > X. Since z is fault-free, and Vj[l] exceeds the initial input at all the fault-free nodes, 
the validity condition is violated. 

In all cases above, either validity or convergence is violated, contradicting the assumption that the 
Middle algorithm is correct in the given graph. 



Proof of second condition: Since the first condition is already proved to be necessary, we assume 
that the graph satisfies that condition. The proof for the second condition is also by contradiction. 
Suppose that the second condition is violated, i.e., in G, there exists some partition F, L, C, R such 

\N~n(CUR)\ 1 |N7n(LUC)| 1 

that |C U R\ =t> L and |L U C| =£> R. Thus, for any z € L, ' ^ < \, and for any e R, — L ^ — < ±. 

Also assume that the nodes in F (if non-empty) are all faulty, and the nodes in L, R, C are all 
fault-free. Note that the fault-free nodes are not aware of the true identity of the faulty nodes. 

Consider the case when (i) each node in L has initial input x, (ii) each node in R has initial input 
X, such that X > x, and (hi) each node in C (if non-empty) has an input in the interval (x, X). 

In the Transmit step of iteration 1, suppose that each faulty node in F (if non-empty) sends x" < x 
on outgoing links to nodes in L, sends X + > X on outgoing links to nodes in R, and sends some 
arbitrary value in interval [x,X] on outgoing links to nodes in C (if non-empty). This behavior is 
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possible since nodes in F are faulty. Note that x < x < X < X + . Each fault-free node k e 'V - F 
sends W/ c [0] to nodes in N£ in iteration 1. 

Consider a node i e L. In iteration \, node i receives x~ from the nodes in Nr n F, x from the 
nodes in {i} U (Nr n L), and values in (x, X] from the nodes in Nr n(CUR). Then in the Update step, 
|£>| > / > \F\ due to the first condition, i.e., \N~\ > 3f. Furthermore, set T (calculated in the Update 

step at node i) contains all the values from Nr n(CU R), since |C U R\ =£> L, i.e., — ^=p— • < 5, and 

the values received from the nodes inCUR are the largest values in vector r,[l]. Recall that in the 
Update step, node i would eliminate sets B and T, and the remaining values, i.e., values in {i} U M, 
are all x, and therefore, p f -[l] will be set to x as per Q}. 

Thus, = x for each node i e L. Similarly, we can show that Vj[l] — X for each node j e R. 
Now consider the nodes in set C (if non-empty). The initial state of nodes in C is in (x,X), and 
all the values received from the neighbors are in [x, X], therefore, their new state of the nodes in 
C will remain in (x, X) when using the Middle algorithm (since the node's own state is assigned a 
non-zero weight in ^\}). 

The above discussion implies that, at the end of iteration 1, the following conditions hold true: 
(i) state of each node in L is x, (ii) state of each node in R is X, and (iii) state of each node in C is in 
the interval (x, X). These conditions are identical to the initial conditions listed previously. Then, 
by a repeated application of the above argument (proof by induction), it follows that for any t > 0, 
Vj[t] = x for all i e L, Vj[t] - X for all ; e R and v k [t] e (x, X) for all k e C. 

Since L and R both contain fault-free nodes, the convergence requirement is not satisfied. This 
is a contradiction to the assumption that a correct iterative algorithm exists. 

□ 

5 Sufficient Condition 

In Theorems E] and |3] in this section, we prove that Middle Algorithm satisfies validity and conver- 
gence conditions, respectively, provided that G(*V, £) satisfies the condition below, which matches 
the necessary condition stated in Theorem [U 

Sufficient condition: 

• For every node v e ( V, \N~\ > 3/, and 

• Let sets F, L, C, R form a partition of "V, such that L and R are both non-empty, and |F| < /. 
Then, either C U R => L, or L U C => R. 

The claim below follows immediately from the second condition above by setting C = O. 

Claim 1 Suppose that Gi^V, S) satisfies the Sufficient condition stated above. Let {F, L, R} be a partition of 
r V, such that L and R are both non-empty and \F\ < f. Then, either L => R or R => L. 

Theorem 2 Suppose that T is the set of Byzantine faulty nodes, and that G^V,&) satisfies the sufficient 
condition stated above. Then Middle Algorithm satisfies the validity condition. 
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Proof: Consider the t-th iteration, and any fault-free node i G *V — f. Consider two cases: 

• / = 0: In this case, all nodes must be fault-free, and f = O. In dT]) in Middle Algorithm, 
note that o,-[f] is computed using states from the previous iteration at node i and other nodes. 
By definition of [i[t - 1] and U[t - 1], Vj[t - 1] € [p{t - 1], U[t - 1]] for all fault-free nodes 
/' e *V — T — 'V. Thus, in this case, all the values used in computing Vj[t] are in the interval 
[ji[t - 1], U[t - 1]]. Since Vj[t] is computed as a weighted average of these values, Vi[t] is also 
within [p[t - 1], U[t - 1]]. 

• / > 0: Since \N7\ > 3f, |r ; [f]| > 3f. Thus set T in the Update step contains at least the largest 
/ values from r,[f], and set B contains at least the smallest / values from r z [f]. Since at most 
/ nodes are faulty, it follows that, either (i) the values received from the faulty nodes are 
all eliminated, or (ii) the values from the faulty nodes that still remain are between values 
received from two fault-free nodes. Thus, the remaining values in r z [f] - that is, values 
received from nodes in set M - are all in the interval [p[t - 1], U[t — 1]]. Also, Vj[t - 1] is 
in [f.i[t - 1], U[t - 1]], as per the definition of p[t - 1] and U[t - 1]. Thus Vj[t] is computed 
as a weighted average of values in [p[t — 1], U[t — 1]], and, therefore, it will also be in 



Definition 2 For disjoint sets A, B, in(A => B) denotes the set of all the nodes in B that have at least 1/3 
of the incoming edges from nodes in A. More formally, 



With an abuse of notation, when A =t> B, define in(A => B) - O. 

Definition 3 For non-empty disjoint sets A and B, set A is said to propagate to set B in I steps, where 
I > 0, if there exist sequences of sets Aq,A\,A2, ••• ,A\ and Bo, B\, Bi,--- ,B\ (propagating sequences) such 
that 

• A = A, Bo = B, Ai = A U B, £>/ = O, B T + O for x < I, and 

• for < t < / - 1, 

- A T => B T , 

- A T+ i - A % U in(A T => £> T ), and 

- B T+ i = B T - in(A T => B T ) 

Observe that A T and £> T form a partition of A U B, and for t < I, in(A T => B T ) ^ O. Also, when set A 
propagates to set B, the number of steps / in the above definition is upper bounded by n - 1. 

Lemma 1 Assume that G(fV,£>) satisfies the sufficient condition stated above. For any partition A,B,F 
ofV, where A, B are both non-empty, and \F\ < f, either A propagates to B, or B propagates to A. 



[p[t-l\,U[t-l\\. 



Since Vz € *V - T , z>;[f] € - 1], U[t - 1]], the validity condition is satisfied. 



□ 
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The proof of Lemma [T] is similar to the proof in our prior work (31 - the proof is included in 
AppendixlAl 

The lemma below states that the interval to which the states at all the fault-free nodes are 
confined shrinks after a finite number of iterations of Middle Algorithm. Recall that U[t] and u[t] 
(defined in Section[3]) are the maximum and minimum over the states at the fault-free nodes at the 
end of the t-th iteration. 

Lemma 2 Suppose that Ci^V, S) satisfies the sufficient condition stated above, and T~ is the set of Byzantine 
faulty nodes. Moreover, at the end of the s-th iteration of Middle Algorithm, suppose that the fault-free nodes 
in'V — f can he partitioned into non-empty sets R and L such that (i) R propagates to L in I steps, and (ii) 
the states of nodes in R are confined to an interval of length < 7^ . Then, with the Middle algorithm, 

U[s + 1]- p[s + 1] < ll - j\ (U[s] - (i[s\) (4) 

where a is as defined in ©. 

The proof of the above lemma is presented in Appendix[Bl 

Theorem 3 Suppose that T is the set of Byzantine faulty nodes, and that G(*V,8) satisfies the sufficient 
condition stated above. Then the Middle algorithm satisfies the convergence condition. 



Proof: Our goal is to prove that, given any e > 0, there exists x such that 

U[t] - p[t] <e Vt>x (5) 

Consider s-th iteration, for some s > 0. If U[s] - p[s] = 0, then the algorithm has already 
converged, and the proof is complete, with t - s (recall that we have already proved that the 
algorithm satisfies the validity condition). 

Now, consider the case when U[s] — p[s] > 0. Partition *V - f into two subsets, A and B, such 
that, for each node i e A, Vi[s] e [p[s], ^ )/ for each node e B, Vj[s] e [ jj[ s ] . By 

definition of p[s] and U[s], there exist fault-free nodes i and ; such that Vi[s] = p[s] and Vj[s] - U[s]. 
Thus, sets A and B are both non-empty. By Lemma[TJ one of the following two conditions must be 
true: 

• Set A propagates to set B. Then, define L - B and R - A. The states of all the nodes in R - A 
are confined within an interval of length strictly less than ILLlfLL - ^[s] < UJLJLL _ 

• Set B propagates to set A. Then, define L = A and R = B. In this case, states of all the nodes in 
R — B are confined within an interval of length less than or equal to U[s] — J£-1H_1 < u ^^ s ^ 

In both cases above, we have found non-empty sets L and R such that (i) L, R is a partition of 
<V — f, (ii) R propagates to L, and (iii) the states in R are confined to an interval of length less than 
or equal to HtfLiiM Suppose that R propagates to L in l(s) steps, where Z(s) > 1. Then by Lemma |2l 



U[s + l(s)] - p[s + Z(s)] < ( 1 - — | (U[s] - p[s]) 



(6) 



In the Middle algorithm, observe that a, > for all i. Therefore, a defined in §2$ is > 0. Then, 
n - 1 > Z(s) > 1 and < a < 1; hence, < (l - ^) < 1. 

Let us define the following sequence of iteration indices: 

• T = 0, 

• for i > 0, Tj = t,_i + Z(t;-i), where Z(s) for any given s was defined above. 

If for some i, U[zj] - /j[t,] = 0, then since the algorithm is already proved to satisfy the validity 
condition, we will have U[t] — ^i[t] = for all t > t„ and the proof of convergence is complete. 

Now, suppose that U[zi] - ^i[zj] + for the values of i in the analysis below. By repeated 
application of the argument leading to ©, we can prove that, for i > 0, 



u[T f ] - pin] < (n;. =1 \i - ^j-jj (u[0] - p[0]) (7) 

For a given e, by choosing a large enough i, we can obtain 



n >=! V 1 ^ — jj ™-f40])<e 

and, therefore, 

U[Tf] - //[Tf] < e (8) 
For f > T;, by validity of the Middle algorithm, it follows that 

U[t] - fit] < U[Ti] - nlxi] < e 
This concludes the proof. □ 



6 Discussion 



The results in this report can be easily extended to the following version of the validity condition: 

• Validity: "it, y.{t] > ^[0] and U[t] < U[0] 

This validity condition is weaker than the condition satisfied by the Middle algorithm, therefore, 
the algorithm satisfies this validity condition as well. Also, it should be easy to see that our 
necessary condition also holds under the above validity condition (the proof remains essentially 
unchanged). 

In our analysis here, we assumed that the system is synchronous, and messages sent in each 
iteration are delivered in the same iteration. That is, the state update in the t-th iteration uses 
neighbors' states at the end of the (t - l)-th iteration. The results in this paper can be extended to 
the case when messages may be delayed such that the latest state available from a neighbor may 
be from iteration (t — B), for some finite B > 0. In this case, our original validity condition will need 
to be modified to require that the state of the fault-free nodes at the end of any iteration remains 
in the convex hull of the fault-free nodes B iterations ago. 
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We now state a result without proof. Further details will be presented elsewhere. Consider 
an Erdos-Renyi random graphs G n r,^V, £), where 'V contains n vertices, and edge (z, f) e £ with 
probability p independently for each (i, f). For large n, this random graph satisfies the condition in 
Theorem Q] with high probability if and only if p — Cl(t) where Hsa threshold dependent on n and 
/. 

7 Summary 

This paper introduces a parameter-independent iterative algorithm, the Middle algorithm, that 
solves the approximate Byzantine consensus problem. The Middle algorithm does not explicitly 
use the global parameter of the graph, i.e., the upper-bound on the number of faults, /. We prove 
tight necessary and sufficient conditions for the correctness of the Middle algorithm that tolerates 
up to / Byzantine faults in directed graphs. 

References 

[1] D. Dolev, N. A. Lynch, S. S. Pinter, E. W. Stark, and W. E. Weihl. Reaching approximate 
agreement in the presence of faults. /. ACM, 33:499-516, May 1986. 

[2] N. A. Lynch. Distributed Algorithms. Morgan Kaufmann, 1996. 

[3] N. H. Vaidya, L. Tseng, and G. Liang. Iterative approximate byzantine consensus in arbitrary 
directed graphs. In Proceedings of the thirty-first annual ACM symposium on Principles of distributed 
computing, PODC '12. ACM, 2012. 

A Proof of Lemma 1 

To prove Lemma [TJ we first prove the following Lemma. 

Lemma 3 Assume that G( r V, £) satisfies the Sufficient condition. Consider a partition A, B, F ofV such 
that A and B are non-empty, and \F\< f. IfB=t> A, then set A propagates to set B. 

Proof: Since B =t> A, by ClaimHJ A => B. 

Define Aq - A and Bq — B. Now, for a suitable / > 0, we will build propagating sequences 
Aq,A\, ■■■A} and Bo, B\,- • • B/ inductively. 

• Recall that A - A and B = B t O. Since A => B, in(A => B ) + O. Define A x = A U in(A => 
B ) and Bi = B - in(A => B ). 

If B\ — O, then / = 1, and we have found the propagating sequence already. 

If Bi + O, then define L = A = A 0/ R = B x and C = A\ - A = B - B x . Note that B = R U C, 
A\ - L U C, and L,C,R,F form a partition of the set of nodes. Since B A, R U C =o L. 
Therefore, by the Sufficient condition, L U C => R. That is, A\ => B\. 
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• For increasing values of i > 0, given A; and B,, where B, + O, by following steps similar to 
the previous item, we can obtain A l+ i = Aq U zh(A; => B,-) and B,+i = B, - m(A, => B,), such 
that either B;+i = O or A i+ i => B,-+i. 

In the above construction, / is the smallest index such that B/ = O. □ 
Proof of Lemma [U 

Proof: Consider two cases: 

• A =£> B: Then by Lemma [3] above, B propagates to A, completing the proof. 

• A => B: In this case, consider two sub-cases: 

- A propagates to B: The proof in this case is complete. 

- A does not propagate to B: Recall that A => B. Since A does not propagate to B, propagating 
sequences defined in Definition [3] do not exist in this case. More precisely, there must 
exist k > 0, and sets Aq, A\, ••• ,A k and Bo,Bi, • • • ,B k , such that: 

* Aq - A and Bq — B, and 

* for < i < k - 1, 

o A; => B„ 

o Aj +1 = Aj U m(A ; - => B/), and 
o Bi+i = Bi - in(Ai => B t ). 

* B t #0 and A fc =e> B k . 

The last condition above violates the requirements for A to propagate to B. 

Now, Afc ^ O, B; c O, and Ajt, Bj-, F form a partition of *V. Since A k =» B^, by Lemma [3] 

above, B^ propagates to A k . 

Given that B^ c Bo = B, A = Aq c Ajt, and B^ propagates to A^, now we prove that B 
propagates to A. 

Recall that A, and B ; form a partition of 'V - F. 

Let us define P - Pq - B; c and Q - Qq - A; c . Thus, P propagates to Q. Suppose that 
Pq,P\, —P m and Qq, Qi, ■■■ , Q m are the propagating sequences in this case, with P, and 
Qi forming a partition of P U Q = A k U B fc = 'V - F. 

Let us define R = R = BandS = S = A. Note that R, S form a partition of A U B = <V-F. 
Now, Pq = Bfc c B = Rq and So = A c A; c = Qo. Also, Ro - Po and So form a partition of 
Qo- 

* Define Pi = Pq U (m(P => Qo)), and Qi = *V - F - Pi = Q - (m(P => Qo)). Also, 
Ri = R U (m(R => S )), and S x = T - F - R 1 = S - (m(R => S )). 

Since Ro - Po and So are a partition of Qo, the nodes in zn(Po => Qo) belong to one 
of these two sets. Note that Rq - Pq c R . Also, S n m(P => Qo) £ in(R => S ). 
Therefore, it follows that Pi = Pq U (m(P => Q )) cR U (m(R => S )) = Ri- 
Thus, we have shown that, Pi cRj. Then it follows that Si c Qi. 
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* For < i < m, let us define R !+ i = R, U m(R, => S,) and S/+i = S, - m(R, => S;). 
Then following an argument similar to the above case, we can inductively show 
that, Pi C R, and S; C Q,. Due to the assumption on the length of the propagating 
sequence above, P m = PuQ = 'V-F and Q m - O. Thus, there must exist r < m, 
such that for i <r,R i ± < V- F, and R r = <V - F and S r = O. 

The sequences Ro, Ri, • • • , R r and So, Si, ■ • ■ , S r form propagating sequences, proving 
that R = B propagates to S -A. 

□ 

B Proof of Lemma 2 

We first present two additional lemmas (using the notation in Middle Algorithm). 

Lemma 4 Suppose that T~ is the set of faulty nodes, and that G("y,£) satisfies the "sufficient condition" 
stated in Section^ Consider node i e *V - f. Let ip < p[t - 1]. Then, for j e {i} U M, 

V{[t] - lp > A, (Wj - ip) 

where Wj is the value received by node ifrom node j in the t-th iteration. Specifically, for fault-free j e jijUM, 

Vi[t] -xp > m (vj[t - 1] - ip) 

Proof: In {T) in Middle Algorithm, for each j € {/} U M, consider two cases: 

• j is faulty-free: Then, either / = ior j e M n (*V - < F). In this case, Wj = Vj[t - 1]. Therefore, 
p[t - 1] < toy < LT[f - 1]. 

• j is faulty: In this case, / must be non-zero (otherwise, all nodes are fault-free). By Theorem 
HJ \N7\ > 3f. Then it follows that, in step 2 of the Middle algorithm, |£>| > /, and set B contains 
the state of at least one fault-free node, say k. This implies that v^\t — 1] < Wj. This, in turn, 
implies that /j[f - 1] < Wj. 

Thus, for all / € {/} U M, we have p[t - 1] < Wj. Therefore, 

Wj - ip > for all j € {/'} U M (9) 

Since weights in in Middle Algorithm add to 1, we can re-write that equation as, 

Vi[t]-ip = Yj a i( w i-W ( 10 ) 
;'e{t}uM 

> Hi (Wj - ip), V; € {/} U M from © 
For fault-free ; 6 {z} U M, = Vj[t - 1], therefore, 

PiW-V ^ «i(^[t-i]-V) (ii) 

□ 
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Lemma 5 Suppose that T is the set of faulty nodes, and that G^V,E>) satisfies the "sufficient condition" 
stated in Section^ Consider fault-free node i e *V - f. Let W > U[t - 1]. Then, for j e {i} U M, 

W-Vi[t] >ai (W-Wj) 

where Wj is the value received by node ifrom node j in the t-th iteration. Specifically, for fault-free j e [i} UM, 

W - v t [t] > a, (V - Vj[t - 1]) 

Proof: The proof is similar to Lemma Hiproof. □ 



Proof of Lemma 2 



Proof: Since R propagates to L, as per Definition|3j there exist sequences of sets Rq, R\, ■ ■ ■ ,R\ and 
Lo,L!,--- ,L b where 



• R Q = R, L - L, Ri - RUL, L\ - O, for < t < /, L T + O, and 

• for < t < / - 1, 

* R T U, 

* R T+1 — R T U in (R T => L T ), and 

* L T+ i - L T - in(R T => L T ) 

Let us define the following bounds on the states of the nodes in R at the end of the s-th iteration: 

X = maxjeR vj[s] (12) 
x = minj eR Vj[s] (13) 

By the assumption in the statement of Lemma |2j 

U[s] - u[s] 

X-x< LJ 2 PLJ (14) 

Also, X < U[s] and x > p[s]. Therefore, U[s] - X > and x - /j[s] > 0. 

The remaining proof of Lemma |2] relies on derivation of the three intermediate claims below. 



Claim 2 For < x < I, for each node i 6 R z , 

v t [s + t] - fi[s] > a T (x - /j[s]) (15) 

Proof of Claim\2} The proof is by induction. 

Induction basis: By definition of x, ((15)) holds true for t = 0. 

Induction: Assume that dl5l) holds true for some t, < t < Z. Consider R T+ \. Observe that R T and 
R T+ i - R T form a partition of R r+ i; let us consider each of these sets separately. 
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• Set R T : By assumption, for each i € R T , ( fl~5l) holds true. By validity of Middle Algorithm 
(proved in TheoremE}, [.l[s] < y.[s+ t]. Therefore, setting ip = p.[s] and t = s + t + 1 in LemmaHJ 
we get, 

P;[s + t + 1] - /,i[s] > flj (i>,-[s + t] - /4s]) 

> a, a T (x - fj[s]) due to (|i"5l ) 

> a T+1 (x-/j[s]) due to© 

and because x - p.[s] > 

• SetR T+ i-R T : Consider a node i e R T+ i-R T . By definition of R T+ i, we have that/ 6 m(K T => L T ). 
Thus, 

|N-nK T | i 
|N7| > 3 

In Middle Algorithm, values in sets B and T received by node i are eliminated before v ,[s + x + 1 ] 
is computed at the end of (s + t + l)-th iteration. Consider two possibilities: 

- Value received from one of the nodes in N~ n R T is not eliminated. Suppose that this 
value is received from fault-free node p e N~ n R T . Then, p e M, and by an argument 
similar to the previous case, we can set xp - jd[s] in Lemma |H to obtain, 

Vi[s + T + 1] - fj[s] > m (V p [s + T] - jj[s]) 

> a( a T (x - p[s]) due to (fl5l) 

> a r+1 (x - /j[s]) due to © 
and because x - p[s] > 

- Values received from all nodes in N~ n R T are eliminated. Thus, (Nr n R T ) c TUB. Recall 
that |N7 n R T | > |Nr|/3 > \B\ = |T|. Thus, T and B both must contain at least one node 
from Nt n R T . Therefore, the values that are not eliminated - that is, values received 
from nodes in M - are within the interval to which the values received from the nodes 
in Nr n R T belong. Thus, there exists a node k (possibly faulty) in M from whom node 
i receives some value - which is not eliminated - and a fault-free node p e N~ n R x 
such that 



v p [s + t] < Wk 
Then by setting = p,[s] and i = s + T + lin Lemma HI we have 



(16) 



Vi[s + T + 1] - /i[s] > 

> 
> 
> 



Oj (lOfc - /i[s]) 

flj (u p [s + t] - /.([s]) by ((TBI 
a, a T (x - /j[s]) due to (fl5b 
a T+1 (*-/4s]) due to© 
and because x - /.i[s] > 
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Thus, we have shown that for all nodes in R T +i, 

Vi[s + t + 1] - p[s] > a T+1 (x - /4s]) 
This completes the proof of Claim 12 

Claim 3 For each node ie'V — T, 

Vi[s + /] - p[s] > a\x - p[s]) 

Proof of Claim\3\ Note that by definition, R; = 'V - T . Then the proof follows by setting 
above Claim [21 

Claim 4 For each node ie'V — T, 



U[s] - Vi[s + !]> a l (U[s] - X) 



The proof of Claim H] is similar to the proof of Claim |3j 



Now let us resume the proof of the Lemma |2j Thus, 



U[s + 1] - max Vj[s + /] 
i&V-T 



< U[s] - a l (U[s] - X) 



by (HD 



and 



u[s + 1] = min vAs + I] 



> /i[s] + a\x - ii[s\) 



by <HZj» 



Subtracting (|2Qj> from QD, 



U[s + I] - p[s + I] 
< U[s] - a l (U[s] - X) - pis] - a\x - p[s]) 
= (1 - a ! )(U[s] - pis]) + a\X - x) 



, , U[s] - u[s] 

< (l-a l )(U[s]-p[s]) + a l LJ 2 PLJ 



by d 



< (i--)(U[s]-p[s]) 



This concludes the proof of Lemma |2j 
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